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[57] ABSTRACT 

A method and system for registration, authorization, and 
control of access rights in a computer system. Access rights 
of subjects on objects in a computer system are controlled 
using parameterized role types that can be instantiated into 
role instances equivalent to roles or groups. The required 
parameters are provided by the subject of the computer 
system, e.g. by a person, a job position, or an organization 
unit. Furthermore, relative resource sets are instantiated into 
concrete resource sets and individual resources by using the 
same parameter values as for instantiating the role types. 
Authorization and control of access rights include capability 
lists providing the access rights of the subjects on the objects 
of a computer system on a per subject basis. Furthermore, 
access control lists are derived from capability lists, so that 
access rights of the subjects on the respective objects are 
provided. 

11 Claims, 10 Drawing Sheets 
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METHOD AND SYSTEM FOR ADVANCED 
ROLE-BASED ACCESS CONTROL IN 
DISTRIBUTED AND CENTRALIZED 
COMPUTER SYSTEMS 

FIELD OF THE INVENTION 

The present invention relates to the technical field of 
role-based access control methods and security systems in 
distributed and centralized computer systems. More 
specifically, the invention relates to a method for controlling 
access rights of subjects on objects in a computer system by 
controlling said access rights dependent on a membership of 
a subject to a role. Furthermore, the invention relates to a 
system for registration, authorization, and control of access 
rights of subjects on objects in a computer system, wherein 
the system comprises users, groups, and access control lists 
at each object providing the access rights on the respective 
object. 

DESCRIPTION OF THE PRIOR ART 

In a computer system the accesses of users to data have to 
be controlled for security needs of the enterprise or organi- 
zation using this computer system. The control of these 
accesses is performed by using access rights defining 
whether and how a user may access data in the computer 
system. This access control is performed by a security 
system which is integrated in or added to the operating 
system of the computer system. This security system per- 
forms a specific method for controlling access rights. 

In most of the installed computer systems access rights 
are granted or revoked explicitly for individual users or 
group of users on respective data or, more generally, on 
respective objects by a system administrator. All access 
rights of all users on an object form an access control list 
(ACL) associated to the object. When an access request 
occurs during operation time of the computer system from a 
user or, more generally, from a subject to the object, then the 
security system looks at the access control list of the 
respective object and decides whether the subject may 
access the object in the requested manner. These broadly 
installed security systems allow a so-called "per-object- 
review" of access rights, that is, to determine the kind of 
access rights of all subjects of a computer system to a 
respective object. 

Since it is very inconvenient for a system administrator to 
provide each user with individual access rights, and to 
achieve a higher grade of data security and integrity in a 
computer system, a Role-Based Access Control (RBAQ 
method has been developed. Therein, a role is mainly a 
definition of a job at the lowest level of granularity used in 
the enterprise or organization. In a role-based access control 
system the system administrator only has to grant or revoke 
access rights to a role and has to group different subjects 
under each role. 

In R H. Lochovsky: "Role-Based Security in Data Base 
Management Systems" which is incorporated in C. E. Land- 
wehr (editor): "Database Security: Status and Prospects", 
Elsevier Science Publishers B. V, 1988, pp. 209-222, the 
use of roles and objects in specifying a security mechanism 
for data base management systems is discussed. Using the 
idea that a user can play certain roles, authorization is 
specified using these roles. 

In R. W. Baldwin: "Naming and Grouping Privileges to 
Simplify Security Management in Large Data Bases", Pro- 
ceedings of IEEE Symposium on Security and Privacy, 
Oakland, 1990, pp. 116-132, authorization and control of 
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access rights in large security systems in the field of data 
base objects are described. 

In D. Ferraiolo el al: "Role-Based Access Controls", 
Proceedings of the 5th National Computer Security 

5 Conference, October 1992, pp. 554-563, the role-based 
access control method is described in detail. Access control 
decisions are often based on the roles individual users take 
on as part of an organization. A role specifies a set of 
transactions that a user or set of users can perform within the 

10 context of an organization. Role-based access control pro- 
vides a means of naming and describing relationships 
between individuals and access rights, providing a method 
of meeting the secure processing needs of many commercial 
and civilian government organizations. 

15 Concerning the method of controlling access rights in a 
computer system as known from the existing role-based 
access control methods it is disadvantageous that a large 
number of similar but not identical job positions in an 
organization requires a large number of roles. This large 

20 number of roles causes a high storage requirement for the 
security system within the computer system. Furthermore, it 
is disadvantageous that the large number of roles causes high 
computing requirements for the security system. Both 
aspects lead to high costs for the operation of the security 

25 system. Furthermore, it is disadvantageous that the large 
number of roles makes it very difficult to manage the 
security system. The system administrator has to create a 
new role when a person remains in his job position but 
changes his location or project. This will cause higher costs 

30 or even less system security. Furthermore, since a role 
includes the union of all accesses and objects which users of 
that role have in different organization units of the enter- 
prise. This means that the role will not necessarily contain 
the least privileges necessary for the functions of that role, 

35 i.e., a violation of the "Least Privilege Principle". However, 
if one attempts to mitigate the lack of access granularity with 
defining different roles based on access and object contexts, 
which may be possible in some designs, an administrative 
mechanism becomes necessary to relate these roles so that 

^ their consistent administration, e.g., update, becomes pos- 
sible. Such a mechanisms is not available today. 

Concerning the access control system, it is disadvanta- 
geous that the existing role-based access control systems do 
not use the existing security mechanisms of the installed 

45 computer systems based on the existence of access control 
lists. Therefore, new security mechanisms or even a new 
security systems have to be implemented on the existing 
computer system. This causes additional hardware and soft- 
ware development with related high costs. This is even more 

50 disadvantageous in distributed or large centralized computer 
systems. Existing standard access control mechanisms for 
distributed systems as described in "Introduction to OSF 
DCE", Open Software Foundation (OSF), 1991, allow scal- 
ability to very large distributed systems. To date no role- 

55 based access control method scalable to large distributed 
systems exists. 

It is an object of the present invention to provide a method 
for controlling access rights that is scalable to very large 
distributed computer systems and requires less storage and 

60 computing performance for the security system. 
Furthermore, it is an object of the invention to provide a 
role-based method for controlling access rights that does not 
necessarily violate the "Least Privilege Principle" but at the 
same time is more flexible and more convenient for the 

65 system administration. 

Concerning the system for authorization and control of 
access rights, it is an object of the invention to provide a 
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system that can use the security system of installed computer 
systems based on access control lists. 

SUMMARY OF THE INVENTION 

A method and system for registration, authorization, and 
control of access rights in a computer system are disclosed 
in the present invention. The inventive method for control- 
ling access rights of subjects on objects in a computer 
system uses parameterized role types that can be instantiated 
into role instances equivalent to roles as known from the 
prior art. The required parameters are provided by the 
subject of the computer system. The computer system may 
derive the parameters from the job position of a subject or 
its membership in an organization unit. Furthermore, the 
inventive method provides relative resource sets which are 
instantiated into concrete resource sets and individual 
resources by using the same parameter values as for instan- 
tiating of role types. 

The inventive system for authorization and control of 
access rights as disclosed in the present invention comprises 
capability lists providing the access rights of the subjects on 
the objects of a computer system on a per-subject basis. 
Furthermore, the inventive system comprises means for 
deriving access control lists from the capability lists, 
wherein the system provides said access rights of the sub- 
jects on the respective objects on a per-object basis. Within 
the inventive method, subjects are all possible types of 
holders of access rights within said computer system as for 
example persons, job positions, role instances, users, and 
transactions. Furthermore, objects are all possible types of 
resources on which access rights can be defined within the 
computer system as for example files, disks, displays, 
printers, scanners, and transactions. 

The invention eliminates the disadvantages previously 
described for the prior art. A method for controlling access 
rights providing role types that can be instantiated into role 
instances offers the possibility to design a security system 
for a computer system with very high flexibility. Since only 
a small number of role types has to be defined it is advan- 
tageous that less computing resources have to be provided 
for the security system within the computer system. 
Furthermore, it is advantageous that less administration 
activities caused by the definition of only a small number of 
role types requires less efforts, and thus restricts the possi- 
bility and probability of errors and confusion and therefore 
provides a higher system security. Furthermore, it is advan- 
tageous that by providing the appropriate parameter values, 
the role instances of a role type can be restricted in such a 
way that the "Least Privilege Principle" is satisfied. 
Furthermore, it is advantageous that the automated genera- 
tion of role instances by instantiating role types offers higher 
security of the computer system and higher integrity of the 
data within the computer system. 

A role type combines a set of functional tasks with a 
common generic set of competencies A role type can be 
viewed as a template for defining the types of access rights, 
objects, and transactions necessary to carry out a set of 
functional tasks. 

A role instance, on the other hand, defines the set of 
concrete and specific competencies bound to a role type in 
a specific organization unit of the enterprise. An organiza- 
tion unit may be division, a department, a program, a project, 
a work-flow process or a combination thereof. 

In one embodiment of the invention the role type is 
parameterized and the role instance is generated by using at 
least one parameter value. The use of a parameterized role 
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type allows more flexibility of the security system and less 
administration activities. Furthermore, it is advantageous 
that the use of parameterized role types requires less com- 
puting resources for the security system. 

5 In a further embodiment of the invention the objects of the 
computer systems form groups of concrete resource sets. 
Forming of such concrete resource sets is advantageous 
since it allows one to address functional groups of resources 
or objects with less computing efforts of the security system 

10 and less administrative overhead. 

In a further embodiment of the invention the method 
allows the automated derivation of the concrete resource sets 
from parameterized relative resource sets. This offers a 
higher flexibility of the security system with less adminis- 

15 tration efforts. Furthermore, it is advantageous that less 
computing resources are required for the security system. 

In a further embodiment of the invention the method 
provides the parameter value for instantiating the param- 
eterized role types or the parameterized relative resource 

20 sets by the subjects of the computer system. This is advan- 
tageous since the derivation of role instances from role types 
or the derivation of concrete resource sets from relative 
resource sets can be fully automated and requires no admin- 
istration efforts. This restricts the possibility and probability 
of errors and confusion and therefore provides a higher 
system security. 

In a further embodiment of the invention the parameter 
value is provided by the job position or by the organization 

30 unit. This is advantageous since it provides a very flexible 
security system that requires very little administration activ- 
ity when a person as a user of the computer systems changes 
job position or even organization unit. This requires less 
efforts, and thus restricts the possibility and probability of 

35 errors and confusion and therefore provides a higher system 
security. 

In a further embodiment of the invention the job position 
is combined with at least one role type. This is advantageous 
since it allows the deriving of role instances associated with 

40 this role type by providing all necessary parameters for 
instantiating a role type with this job position. This allows 
automated derivation of role instances with no administra- 
tion activity and therefore requires less efforts, and thus 
restricts the possibility and probability of errors and confu- 

45 sion and therefore provides a higher system security. 

In a further step of the invention 8 the parameterized 
relative resource sets are associated with the role types. This 
is advantageous since it allows automated derivation of the 
concrete resource sets and objects by the same parameters as 

50 provided for the role types. This allows automated deriva- 
tion of the concrete resource sets with no administration 
activities and therefore requires less efforts, and thus 
restricts the possibility and probability of errors and confu- 
sion and therefore provides a higher system security. 

55 In a further step of the invention the inventive method 
performs a configuring step for deriving the role instances 
and the concrete resource sets and objects. This automated 
configuring step is performed with each administration 
action and provides at any time the actual and valid role 

60 instances and concrete resource sets and objects. This is 
advantageous since it guarantees the efficiency of the secu- 
rity system and guarantees the security and integrity of data 
within the computer system. 
In a further embodiment the method specifies capability 

65 list types associated with the role types and performs an 
automated configuring step for deriving capability lists 
associated with role instances. The capability lists are instan- 
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tiated from the capability list types by using the same high data security and integrity within the computer system 

parameters as for instantiating role types and these capabil- can be guaranteed. Furthermore, since the underlying access 

ity lists provide the access rights of the role instances on the control mechanisms of existing security systems are used for 

objects within the computer system. The provision of capa- access control checks at operation time, the inventive system 

bility lists within the security system of the computer system 5 does not lead to performance penalties and is scalable to the 

is advantageous, since it allows an automatic examination of same degree as the underlying system. 

me access rights of all subjects on all possibly objects within » - ... . f . # , 

Ihe computeTsystem without any administration activities Id a . embodiment of the invention toe system 

and therefore requires less efforts, and thus restricts the uprises means for tbc access «««?« 

possibility and probability of errors and confusion and ,„ a configuration step of me security system^Trnsconnguring 

therefore provides a higher system security. 10 s,e P can J bC P erfom,6 <L wlth ° T aficr each administraUon 

t c ^ , 4 - . \ . . , action. This means offers the advantage that the access 

In a further embodiment or the invention the method _ t . ^ , ... . J r • • * 

, . , . . i .... control lists are actualized with each administration action 

generates or modifies access control lists associated with the , . - , , . , . 

& t . , . . ™ . . , and therefore guarantees high data secunty and integrity 

concrete resource sets and objects. This is advantageous ... . . r _.. ... • 

... .. J . . r .u within the computer system. Furthermore, this means is 

since it supports the security systems as known from the 1? , f ./ . ., , . . , 

rt j ..... . . c • . n j 15 advantageous since it guarantees the data secunty and 

prior art and as used within a large number of installed . . . & ... . f ' 

v . , . . .. . e t f . . i mtegnty with less computing resources for the secunty 

computer systems with all information required from these „ } , ,„ Jt^„ _j ,ul 

r . J . rn ... ... . system and requires less efforts, and thus restricts the 

secunty systems. Therefore, the inventive method can be •l-i*. j l u r*. r j • j 

, . j , . '. . . . . t possibihty and probabihty of errors and confusion and 

easily applied to the existing secunty systems without f, c • A u ■ u 

,.„. J , rr to . J . . . therefore provides a higher system secunty. 

difficult modification or even expensive new implementa- 20 r ° J J 

tion of the security system. In the case of scalable existing Io a farthcr embodiment the system comprises means for 

security systems for large distributed environments this deriving the capability lists from a role-based access control 

method guarantees scalability of the role-based access con- system. The presence of this means allows the application of 

trol mechanism as well role-based access control systems as known from the prior 

In a further aspect of the invention the role types are 25 a u rt °° ^curity systems of computer systems as installed io 

organized hierarchically. This is advantageous since it ^ field m ■ lar f nu ^: ^ ^entive system allows 

allows the organization of role types by subsuming relations. advantageously the application of role-based access control 

Therefore, if a first role type subsumes a second role type svstems wl * oui ™l modification or even new unplemen- 

then the set of access rights available to an instance of the * h0 * 011 me 8ecun * s y stems ' ore > role - 

first role type includes those available to a corresponding 30 baSed aCCeSS C ° Dtro1 f*** m CaD be ^IT^ ^ 

instance of the second role type. This allows very easy com P uter ff ms ™*J™ u °° st aod *™mtY and 

control of access rights with only little administration mte S nt y of the data Wlttun the ^mputer system, 

efforts. Furthermore, it is advantageous that the hierarchal In a further embodiment of the invention the system 

organization of role types requires less computing resources comprises means for deriving and generating user accounts 

of the security system. 35 fr° m me capability list. This is advantageous since it allows 

With the invention related to a computer system for the automatic derivation and generation of user accounts on 

authorization and control of access rights, the disadvantages a11 computer systems that host objects occurring on the 

previously described for the prior art are eliminated. The capability lists of subjects. This requires less efforts, and 

registration, authorization, and control system presented in mus restricts the possibility and probability of errors and 

this application offers the advantage that access control lists 40 confusion and therefore provides a higher system security, 

at the object as well as capability fists at the subjects are nPSPRTPTION OF THF DRAWING 

provided. This allows a fast review of the access rights of a BRIEF DESCRIPTION OF THE DRAWINGS 

subject on all possible objects with only little computing FIG. 1 gives an overview of the method for controlling 

resources for the security system. Furthermore, it allows a access rights. 

quick review of all access rights of all possible subjects on 45 FIG. 2A gives an overview of role type instantiation, 

a specific object with only little computing resources for the ™„ nT , , . c . 4 ■.*-** 

r .. i o _i_ * j .1. . FIG. 2B shows an example of role type instantiation, 

secunty system. Furthermore, it is advantageous that a r Jr 

system comprising access control lists at the object as well FIG * 2C shows the exam P le of role l yP e instantiation of 

as capability lists at the subject may be applied to all FIG * 2B in more detail - 

computer systems installed in the field without any change 50 FIG- 3A shows the aspect of role type hierarchy of the 

or new implementation in the operating system of the inventive method. 

installed computer systems. Furthermore, the simultaneous FIG. 3B shows an example of role type hierarchy for the 

existence of access control lists and capability lists offers business field of banking. 

high data security and integrity within the computer system. nQ 4 ^ ow% a method of resource definition. 

This is even more advantageous for large distributed com- 55 - . c , r . „. 

5 & 33 pj G 5 gives fln overview 0 f me method for controlling 

, ,.. . access rights on organizational level as on system level. 

In a further embodiment of the invention as the system m „ „ . , , , ... 

comprises means for deriving the access control lists for the FIG * 6 ^ an overview of me svslem for authonzaUon 

objects from the capability list at the subjects. The existence and 00111:01 of access 

of this means is advantageous since it allows the automatic 60 FIG. 7 shows the possibility of a per-object-review as well 
derivation of access control lists which are required from a as a per-subject-review as provided by the inventive system, 
large number of security systems of installed computer nPSPRlPTinN OF A PRFFFRRFn 
systems. Therefore, the inventive system can be easily EJ^ODIMEOT 
applied to existing computer systems without any modifi- 
cation of the security system of the installed computer 65 An elaborated preferred method for controlling access 
systems. Furthermore, it is advantageous that this means rights of subjects on objects in a computer system and a 
derives the access control lists automatically and therefore a preferred embodiment of a system for authorizing and 
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control of access rights according to the present invention 
will be described with reference to the accompanying draw- 
ings. 

The FIG. 1 gives an overview of the method for control- 
ling access rights. A set of subjects 1 as holders of access 
rights is defined and associated to a set of role types 2. The 
role types 2 are instantiated into a set of role instances 3 and 
therefore the subjects 1 are associated to the role instances 

3. Multiple subjects 1 can be associated with one role type 
2. Also, a subject 1 can be associated with more than one role 
type 2. The instantiation of role types 2 into role instances 
3 also determines the association between the role instances 
3 and the objects 4 of the computer system. Usually there 
will be multiple instances of one role type due to different 
parameter values provided by different subjects. 

The FIG. 2 A gives an overview for the method of role 
type instantiation. Persons 5 that are users of an enterprise 
computer system are employees acting in assigned job 
positions 6. Each job position 6 is associated with a set of 
functional tasks and, thus, these tasks are associated with 
users in the enterprise organization hierarchy. Each task 
requires a set of competencies, which can be viewed as a set 
of specific access rights to a set of objects 4 necessary to 
carry out that task. Hence, each job position 6 ultimately 
associates a user with specific access rights to a set of objects 

4. Thus, a security administrator must be able to associate 
these rights, objects, and transactions with the job positions 
of the enterprise organization. To enable this, the concepts of 
role types and role instances are defined. 

The FIG. 2B shows job positions 6, role types 2, and the 
creation of role instances 3. Hie diagram shows an organi- 
zation structure, e.g. organization units 7 and job positions 
6, on the left and a set of role types 2 on the top of the matrix . 
An "X" in a field of the matrix means that a role instance 3 
of the corresponding role type 2 is assigned to the job 
position 6. The necessary parameter values to instantiate the 
role type 2 are derived from attributes of the individual job 
position 6 or a higher level organization unit. The values of 
these attributes determine the actual competencies the job 
position 6 is assigned via the role instance 3. Job positions 
6 may share the same role instance 3 as illustrated by the 
shaded fields in a column. 

A job position 6 is associated with one or more role 
instances 3, depending upon how granular the job position 
6 is intended to be. These role instances 3 are derived from 
different role types 2. For example, there are three role 
instances associated with the job position "staff member 2" 
of "private loans", one derived from the role type "loan 
specialist", another one derived from "customer consultant", 
and one derived from "bank employee". 

Often similar job positions, such as "staff member 1" and 
"staff member 2" of the "private loans" department, will be 
assigned to the same role instance as shown from the shaded 
fields in the matrix, because none of the attributes that are 
relevant for instantiating the role type differ between the job 
positions. However, different job positions 6 or similar job 
positions 6 in different organization units 7 will usually be 
associated with different role instances 3 of the same role 
type 2, because they bring in different attribute values for the 
role type instantiation. In the above example the role type 
"loan specialist" is instantiated in two different role 
instances that are bound to two different job positions of the 
department "object appraisal", the "team-leader" and the 
"staff member 1" position. 

Job sharing can be modelled by assigning one job position 
6 to multiple persons 5. On the other hand a single person 
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5 may be assigned to multiple job positions 6. For example, 
a person 5 in a "staff member" position in a department may 
also act, perhaps temporarily, as the "department manager". 
Of course, assignment to some job positions 6 may exclude 

5 assignment to other job positions 6 for separation-of-duty 
reasons. For example, a person 5 in the job position 6 
"security adrninistrator" may not be assigned to the job 
position 6 of "auditor" because otherwise the accountability 
of the "security administrator's" actions would be lost. 

10 The FIG. 2C shows an example of the role type instan- 
tiation method in more detail, especially for the role instance 
in the framed matrix cell 15 of FIG. 2B. A role instance 3 
binds the relative competencies defined by a role type 2 to 
the objects 4, and access rights specific to an organization 

l5 unit 7 or a job position 6. To perform this, at first for each 
organization unit and for each job position 6 a set of 
attributes has to be declared as relevant for role type 
instantiation. These attributes are said to be advertised. As an 
example, this could be the department identity or the loca- 

2Q don attribute of the department organization unit or the 
project identity attribute of a job position 6. Second, 
so-called relative resource sets 8 may be defined and asso- 
ciated with role types 2. A relative resource set 8 specifies 
the parameters it expects for instantiation from among the 

25 advertised ones in the enterprise. For example, one could 
define the relative resource set "printers" (printlocation) by 
enumerating the printers that are available to each location: 
printers (Boeblingen): =*{p2160, p2240, . . . } 
printers (Heidelberg): ={prt01, prt02, . . . } 

30 The "print location" parameter is declared as referencing the 
advertised "location" attribute of a department. 

Thus, when a job position 6 as part of certain organization 
units 7 is combined with a role type 2 associated with 
parameterized relative resource sets 8, the actual resources 

35 can be determined by instantiating the parameters with the 
values of the advertised attributes for this job position 6. In 
the example of FIG. 2C, if 

1. private loans is located in Heidelberg, 

2. the relative resource set 8 "printers (printlocation)" is 
40 associated with role type 2 "bank employee" with 

permission "use", and 

3. "staff member 1" of the department "private loans" is 
assigned the role type 2 "bank employee". 

Then "staff member 1" will have "use" access to the printers 

45 "prtOl, prt02, 

Whether a new role instance 3 has to be created in this 
case depends on whether the "bank employee" role type 2 
has already been instantiated with the same parameters. If 
this is the case "staff member 1" will only be assigned the 

so already existing role instance 3 "bank employee ( . . . , 
Heidelberg, ...)". 

FIG. 3 A shows the role type hierarchy in the disclosed 
inventive method. The access-control policy semantics cap- 
tured by the specification of role types reflect the functional 

55 partitioning and inclusion of generic access rights, 
resources, and transactions necessary to conduct the busi- 
ness activities and management of an enterprise. This par- 
titioning and inclusion is intended to cover the data and 
application access relationships that are independent of the 

60 users job position 6 and organization context, i.e. units 7, of 
the enterprise. The rest of the access-control semantics 
captured by role instances 3 and job positions 6 reflect 
constraints placed by enterprise policies, such as the need- 
to-know and separation-of-duty policies, on enterprise orga- 

65 nization units 7. 

A role type 2 is defined as a set of generic parameter- 
dependent resources and their associated permissions or 
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access rights. Id a special case they may also contain The FIG. 5 shows an overview of the method for con- 
concrete resources that do not depend on any parameters. trolling access rights for the organizational level 20 as well 
Role types 2 can be organized hierarchically by a "sub- as for the system level 21. It is shown that on the system 
sumed" relation. If a first role type 16 subsumes a second level 21 persons 5 are represented as users 22, wherein one 
role type 17 then the set of access rights available to an 5 person 5 may have multiple user identifications, which may 
instance 18 of the first role type 16 includes those available be derived from the role information and automatically 
to a corresponding instance 19 of the second role type 17. generated (automatic registration) in the same way as the 
The expression "corresponding" in this context means that access rights are derived (automatic authorization), 
both role types 16, 17 are instantiated with the same param- Furthermore, it is shown that the role instances 3 on the 
eter values. The subsuming role type 16 must have at least 1Q organization level 20 are represented by groups 23 on the 
the parameters of the subsumed role type 17, but it may have system level. Furthermore, the concrete resource sets 9 are 
more. represented by the individual resources 10 on the system 

The role type hierarchy defines in mathematical terms a level 21. 

lattice structure. Trivially, the top of the lattice can include The FIG. 6 shows a preferred embodiment of a system for 

all types of access rights to all objects 4, whereas the bottom authorization and control of access rights as disclosed in the 

can include the respective empty sets. Of course, lattices 15 prcsent invention. It is shown that capability lists 30 asso- 

with non-trivial tops and bottoms can be defined. When ciated t0 ^ su bjects 1 of the computer system and con- 

instantiafing a lattice of role types in a system, the top and ^ ^ access rights of the respective subject 1 on the 

bottom of the lattice need not be used for any specific role objects 4 of ^ utcr tcm ^ ^ ^td by appro- 

instance 3 and job position 6. . riate derivation means 32 into access control lists 31 

It is the implicit assumption which leads to the notion of 20 F . " " " , ^ 7 " , , / , 

the role type hierarchy that the sets of generic competencies "abated to the objecte 4 of the computer system and 

of job functions 6 and the role types 2 derived from them containing the access nghts of the subjects 1 of the computer 

1. can be structured as hierarchies by the subsumed system on me respective object 4^ denvahon means 32 
relation and can implemented by hardware or by software. 

-» j 'u c .1 ~r Furthermore, it is also possible to derive capability lists 30 

2. do not change very frequently. 25 £ _ • A . * 1 i- . « 
™ ~ . » u i- *• w * from existing access control lists 31. 

The first assumption appears to be realistic because enter- ™, ™^ % , 4 , ..... ,. 

• 0 mntrnl i.^fl^ „ 0 rtfto „ a~g^a *~ t u The FIG. 7 shows the possibility to perform a per-object 

pnse access control policies are olten denned to reflect the Mtx ., i( _ . / / iL ■ . 

T. *• * , . * m . ** 1 4 review 40 with the inventive system for authorization and 

hierarchical relationship built in an enterprise organization ' , c . " T V a " luwll/ ^ ll ^ u auu 

and functions. The second assumption also appears to be coa «? 1 of acccss t In . example the access rights 

realisticbecausethejobmnctionsdefinedvsnthaienterprise 30 m ^ be " CXCCUte F cr ~ D c X ' " If* P crmissl0D * 

.... . , , . t ■ u • or a write permission W . Since the inventive control 

are stable since they are based on the enterprise business . \. , 1 * ^ • j • L 

. , • c- .ujc*.- r ut I- j . system provides access control lists 31 associated with the 

charactenstics. Since the definition or 10b functions does not i. . * c 4 , ... . , . 

u f . . u c ■ * w . a objects 4 of the computer system it is possible to evaluate 

change very often, the sets of access nghts to obiects 4 iL J A . .f , < , *\ . „ 

. . * • u * * «_ these access control lists 31 m order to determine all access 

needed for a job position 6 are not expected to change very . Li r ~~ ... 4 , iL 

a it • -1 J* * .u * ■♦u » *u rights of groups 23 within the computer system on the 

often. It is important, that neither assumption prevents the 35 & 4 . 4 j ™_ ~* • 4 . . r 

c 1 * *i_ f r 1 respective object 4. The group 23 is the representation of an 

addition of new role types 2 to the lattice nor that of new role . f . J , • , £ f * ■ j 1 , 

. . * j ■ i_ * . . • uistance, i.e. a role instance 3, of a parameterized role type 

instances 3 and job positions 6 to an enterprise. ~ „, ' , . - •■♦«■* j u . 1 * \ 

The FIG. 3B shows an example for the role type hierarchy 2 ,™ e r ° k 'Vf* * b J £i east 0D6 P^ 1 " 

within the inventive method of access control. The example P™ 1 ***? th / J ob P°f «■ ^ P?™ £ ^°«1 

shows a hierarchy of the role types 2 used in FIG. 2B. In this 40 10 ] ob ^ slhoa 6 Jj? , al ! east 0Qe f; user ^ntificaUon 

, -u.ru . i • „ j r As also shown m FIG. 7, the inventive system for autho- 

example the access nghts of a "second-line manager^ and of . . , . , r • i.. i j • .l 

u«„» i- „ « u .u r « . » u- u nzation and control of access nghts as disclosed in the 

a first-line manager subsume those of a secretary which . . ^ . f;,. , c 

. J? ah i . u present mvention offers the possibility to perform a per- 

ln turn subsume those of a typist . All role types subsume 4 • . , r . . . - , \. . 

* u i * <ti_ i i » a «u i subject review 41. The job position 6 to which a person 5 is 

the role type bank employee . As a consequence bank . . , . . , \ r, , . . , , f . . . 

_ i » M u l j j ^_ . • • r-T^ assigned to is associated with a role. Associated to this role 

employee could be dropped from the matrix m FIG, 2B 45 °T - La c . i . a c . 

u *u j * * i . are the access nghts of that role on the objects 4 of the 

because the corresponding competencies are covered by a t 'C, . t J . ... 

membership in aDytf the other role types. For the same ^mputer system. The myenuve system composes capabd- 

reason the "team-leader" of the "object appraisal" depart- ^Jf 5 30 ^ access nghts for each role. 

. u , . „• ^ i «i • i- i Furthermore, the system compnses denvmg means 32 to 

ment does not have to be assigned the loan specialist role , ' J ,. IL . . r 4 & . ^ c 

.. . (1 . u . . j „ . . , .. generate new or modify existing access control lists 31 from 

exphcitly since his team -leader role type subsumes it. 50 jj^ c ^Uit lists 30 

The FIG. 4 shows the instantiation of concrete resource ^Vhafis claimed ' ■ 

sets 9 and individual resources 10 from parameterized . . iL , - , ... . , , - t . 

l4 . .ott_ 4 • j i *• 1-A method for controlling access nghts of at least one 

relative resource sets 8. The parameterized relative resource A *i * . . _ . 

• . j . .i_ **ji4 subject on at least one object in a computer system, wherein 

sets 8 are associated to the parametenzed role types 2. The , . A . i . r / -\ . , 

4 n , . , r 4 . , • j said subject is associated to at least one role, said method 

concrete resource sets 9 are derived from the parameterized 55 ^ ^ 

relative resource sets 8 by using the parameter values comprising e s eps o . ... 

provided from the subjects 6, 7 in the computer systems, e.g. controlling said access rights dependent on a membership 

provided from the job positions 6 and organization units 7 of of Mld to said role * 

the enterprise. The individual resources 10 are grouped to controlling said access nghts dependent on a parameter- 
concrete resource sets 9. For example one possible param- 60 lZ£ ^ ^°' e lv P e » 

eterized relative resource set 8 is the resource set of "print- controlling said access rights dependent on at least one 

ers M with a parameter "printlocation". By providing the parameterized relative resource set, 

location parameter, for example location Heidelberg, the representing said role by instantiating role instance by 

relative resource set 8 is instantiated into the concrete deriving said role instance from said role type, 

resource set 9 that includes all printers at the location 65 said step of instantiating said role instance being based on 

Heidelberg. These printers at the location Heidelberg rep- providing a parameter value to said role type, said 

resent the individual resources 10. parameter value further characterizing said subject, 
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instantiating a concrete resource set by deriving said 
concrete resource set from said relative resource set, 

said step of instantiating said concrete resource set being 
based on providing said parameter value to said relative 
resource set, 5 

and providing said object as an element of said concrete 
resource sets. 

2. The method according to claim 1, further comprising 
the step of: 

... . 10 

providing said parameter value by said subject. 

3. The method according to claim 2, wherein a job 
position within an organization unit of the organization of 
said subject is provided, said method further comprising the 
step of: 15 

providing said parameter value by said job position or by 
said organization unit. 

4. The method of claim 3, further comprising the step of: 
combining said job position with at least one of said role 

types. 20 

5. The method of claim 1, further comprising the step of: 
associating at least one of said parameterized relative 

resource sets with said role types. 

6. The method of claim 5, further comprising the step of: 
performing a configuring step for deriving said role 

instances and for deriving said concrete resource sets 
and objects. 

7. The method of claim 1, further comprising the steps of: 
specifying capability list types associated with said role 30 

types; and, 

performing a configuring step for deriving a capability list 
associated with a corresponding role instance from said 
capability list types, said capability list providing said 
access rights of said role instance on said objects. 



25 



8. The method of claim 7, further comprising the step of: 
modifying access control lists associated with said con- 
crete resource sets and objects, said access control lists 
provide said access rights of said subjects on said 
object. 

9. The method of claim 1, wherein 

said role types are organized hierarchically. 

10. A computer system for registration, authorization, and 
control of access rights of at least one subject on at least one 
object, said system comprising: 

at least one parameterized relative resource set, and a 
concrete resource set, instantiated and derived from 
said relative resource set, and said object being an 
element of said concrete resource set, and 

a parameterized role type for controlling said access 
rights, and 

a role instance derived by instantiation from said role type 
and providing said subject a parameter, and 

a capability list derived by instantiation from a capability 
list type, said capability list being associated with said 
role instance and with said subject and providing said 
access rights of said subject on said object, and 

an access control list for said object providing said access 
rights of subjects on said object, and 

means for deriving said access control lists of said objects 
from capability lists associated with subjects, and 

means for deriving said access control lists during a 
configuring step of said system. 

11. The system according to claim 10, further comprising 
means for deriving and generating necessary user accounts 
from locations of objects in said capability lists. 
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